Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Jaures
New Contributor

Created on ‎11-04-2014 02:30 PM

Rule without user authentication overriding rules with user authentication FortiOS 5.2

Hello everyone, - I have a default firewall rule (rule 1)allowing access to the internet to all connection from the inside interface on Fortigate 200D with FortiOS 5.0. - Then i configured Firewall rules with user authentication on top of rule 1, to allow only authenticated users to access the internet. This prevented unauthenticated users from accessing the internet; everything worked fine, until i upgraded the firmware to FortiOS 5.2 - Now, i noticed that unauthenticated users are using rule 1 to access the internet, and when i disable or remove rule 1, even authenticated users can no more access the internet. When rule 1 is enabled, both authenticated and unauthenticated users can access the internet. - I want to allow only authenticated users to have access to internet, and get rid of rule 1.    Any help is urgently needed. Thank you   Jaures.

Labels:
5221
0 Kudos
2 REPLIES 2
nathan_emerson
New Contributor

Created on ‎11-13-2014 07:14 PM

Hey Jaures,

 

It is possible that something during the firmware update made your policy #2 invalid and so all traffic is hitting policy #1, or perhaps the upgrade has stopped your user authentication from working. Are you using local user/groups or remote groups?

 

Have you tried a

#diag test authserver

With the appropriate values?

 

would is be possible for you to show us the output from

#show firewall policy

 

 

Cheers,

 

Nathan

1901
0 Kudos
Jaures
New Contributor

Created on ‎11-14-2014 02:59 AM

Hello Nathan,

Thanks for the reply. Please see attached for #show firewall policy output.

 

I think I have narrowed down the issue to the fact that, using FSSO for user authentication, the collector agent on the server is showing "not verified" for many users. And because of the "fall through" in 5.2, only policy#1 is applied to those users.

I have seen the solution Fortinet provided for mitigating the "not verified" issue:

 

        • Most commonly, a host firewall on the user's workstation or a router on the network prevents remote access on ports           139 and/or 445. Try opening the ports on the host firewall.         • If the remote registry service is not running on the user's workstation, the Collector agent will not be able to           connect to the registry remotely. Make sure the remote registry service is running.         • This problem may also be caused by a known MS upgrade issue.            Using Regedit.exe, edit “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Control\SecurePipeServers”, set     permissions for winreg and allow Local Service with R and W permissions.

 

I have checked all this, but i am still having some users status showing "not verified" in the FSSO collector agent.

Any help on this please?

 

 

Thank you.

Jaures.

1901
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.